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A scheme of quantum authentication is presented. Two parties share Einstein-Podolsky-Rosen 
(EPR) pairs previously as the authentication key which servers as encoder and decoder. The authen- 
tication is accomplished with local controlled-NOT operations and unitary rotations. It is shown 
that our scheme is secure even in the presence of an eavesdropper who has complete control over 
both classical and quantum channels. Another character of this protocol is that the EPR sources 
are reusable. The robustness of this protocol is also discussed. 
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I. INTRODUCTION 



Quantum cryptography is a field which combines quantum theory with information theory. The goal of this field 
is to use the laws of physics to provide secure information exchange, in contrast to classical methods based on 
\Q | (unproven) complexity assumption. Since the publication of BB84 protocol Q, quantum key distribution (QKD) 
t-H , has developed into a well understood application of quantum mechanics to cryptography. In particular, QKD protocols 
became especially important due to technological advances which allow their implementation in the laboratory 
To guarantee the security of the quantum key in practical applications, quantum key authentication is important as 
well as QKD. Moreover, large quantity of communication tasks in modern society need more reliable authentication 
systems. However, up to now, the security of practically used authentication systems is based on the computational 
difficulty, i.e., they rely on limited advancement of computer power, technologies, and mathematical algorithms in the 
OO ! foreseeable future. 

Recently, several quantum authentication schemes 0-0] have been proposed. The scheme proposed by Dusek et 
al. H| is a combination of classical identification procedure and quantum key distribution. Zeng's Q protocol is 
using EPR pairs as the first authentication keys, and using classical keys distributed in quantum key distribution 
procedure after then. Moreover, two very interesting authentication protocols using entanglement and catalysis Q 
Cin! were proposed by Barnum Q and Jensen et al. |t| respectively. In their protocol, the two parties in communication 
+Jj ■ have previously shared catalyst (a particular pair of entangled particles). The verifier sends the challenge which is a 
half part of some entangled state to the identifier, then they can transfer this entangled state to a special state (the 
state of the catalyst) deterministically by local quantum operation and classical communication (LQCC) with the 
catalyst. However, this task can not be accomplished by LQCC without the catalyst. So the verifier can authenticate 
the identifier by measuring the state of the challenge after the identifier sends it back. 

On the other hand, entanglement of multiparticle system is a important feature of quantum mechanics. In addition 
to their central role in discussion of nonlocal quantum correlations, they form the basis of quantum information such 
as quantum teleportation |J, quantum key distribution, quantum dense coding Jl0| et al. EPR pairs are used as 
communication channels in protocols mentioned above. In this paper, we present a authentication protocol with EPR 
state as the key (encoder and decoder). The authentication is accomplished with local controlled-NOT (C-NOT) 
operations and unitary rotations. 

The paper is structured as follows. In Section II, we give the framework of our authentication protocol, and security 
of this protocol is analyzed in Section III. In Section IV, we consider the nonideal situation and discuss the robustness 
of this protocol. Section V concludes the paper. 

II. QUANTUM AUTHENTICATION SCHEME 

The general task of authentication is verifying the identification of each other of two parties (Alice and Bob) in 
communication, using quantum and classical channel. The protocols are such that if Alice and Bob can successfully 
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complete one, Alice is convinced that Bob (or someone who has stolen his identification token) is on the other end 
of the quantum communication channel. The classical analogue of this can be done by having Bob to reveal, over a 
classical channel, a secret which Alice and Bob had previously securely shared. The quantum protocol presented here 
uses shared entangled states as the counterpart of shared secret key. There is protection, via the no-cloning theorem, 
against copying of the authentication token. And this protocol may provide reusable authentication tokens. 
Alice and Bob have previously shared 2K pairs entangled states in 

|$+> = -^(|00> + |ll». (1) 

An authentication round consists of the following steps. First, for example, Alice acts as identifier and Bob acts as 
verifier. 

When the authentication begin, the two parties rotate their particles' state by 8 respectively. The rotation can be 
described as 

/ cose tin fl\ 

w y — sin cos ) w 

The state |<I> + ) does not change under bilateral operation of R(9). The purpose of this operation is to prevent 
the eavesdropper's impersonation. (The detailed interpretation will be given in Section III.) Then Bob prepares K' 
(K' < K) particles j B in arbitrary pure state 

|^i)=o i |0)+6 i |l), i = l,3,5,---,2A"-l, (3) 

where \a,i\ 2 + \ bi\ 2 — 1, a, and b{ are two complex numbers which are selected randomly. The state \ipi) is only known 
by Bob himself. Bob sends the challenge particle 7^ to Alice in order of i (where i is odd). Thus Alice uses the 
corresponding particle f3 A of the entangled pairs and the particle j B to do a C-NOT operation {fi l A is controller and 
7^ is target) and the three particles' state will be 

I*,) = 4= (<*i |000) + h |001) + a, |111) + b t |110» , (4) 
v2 

then she sends back 7^ to Bob. Bob uses his corresponding particles fi B (which entangled with f3\) to do a C-NOT 
operation on -f B again. Now the state of the key particles and the challenge -f B i s tne same as it at the first 

|*{) - -J= (|00) + |11)) ® (oj |0> + h |1)) = |$+) ® |^) . (5) 

Bob measures j B in basis \ipi) and \il>i}~ L (state orthogonal to \ipi)). If j B is in state it passes the test; otherwise, 
it fails and Bob aborts the protocol. Then Alice becomes the verifier, she prepares K' challenge j l A and uses her 
particle [3\ (i is even) to do the same steps. 

The authentication fails if any of the projective measurements in the previous step fails, or if Alice or Bob receive 
more than K' requests to send back challenge particles. 

If the authentication round succeeds, Alice and Bob retain all 2K pairs of entangled states and can reuse them in 
the next time. However, the security of the entangled states used later is a little less than the original one. If the 
authentication fails, the parties discard all particles used till that point. In this case, Alice and Bob have to start 
again with new keys (EPR pairs). 



III. SECURITY ANALYSIS 



We now discuss the security of this protocol. First, Eve may impersonate Alice when Alice is not present. When Bob 
sends out a challenge j B , Eve intercepts it which she can manipulate using unitary transformation or measurement. 
Since Eve has not shared the key with Bob, she can not entangle this challenge with Bob's key particles. Suppose the 
state Eve send back is 

2 

ft = EPikl$fc}<$fc|, ( 6 ) 
k=l 

IV4> =<4|o> + 4|i>. 
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where pn + Pi2 = 1 and |a' ifc | 2 + \b' ik \ 2 = 1. After Bob's C-NOT operation, the fidelity of the state and the test 
state is 

i 2 

F = ^ + E^ fc ^ e K & Xfc&ifc) + «e KM^'ifc)] , (7) 
fc=i 

where Re{x) is the real part of complex number sc. Since ai and hi are selected randomly, the average value of F is 
That is to say Eve has the probability only ^ to pass the test in one time on the average. The probability that Eve 

is not detected by Bob is (i) on the average, which can be made arbitrarily small by choosing K' large enough. 

Second, Eve may use the method of denial of service. In this type of attack, Eve deliberately causes the authen- 
tication round to fail, and hence causes one party to discard all key particles. Although this protocol is particularly 
vulnerable to this kind of attack, this is not an essential weakness, since an attacker who controls both quantum and 
classical communication can always prevent successful authentication between the legitimate parties. 

We now look at stronger attacks in which Eve tries to obtain key material which she could then use, e.g., in a later 
impersonation attack. Eve's goal is to share pairs of particles in the entangled state with Alice and/or Bob. 

For instance, if she succeeds in obtaining a large amount of key material with Bob, she will be able to authenticate 
herself to Bob without Alice being present. However, if Eve's presence is detected in a single measurement, all the 
previously obtained key material she shares with the verifier who performed that measurement will be worthless. 

Eve has three choices to attack: (I) She can intercept the challenge Bob sends to Alice, and make her own particle 
interact with this challenge, then send the challenge or her own particles to Alice. (II) She can pass the challenge to 
Alice but intercept it when Alice sends it back to Bob, and make her own particles interact with this challenge. (Ill) 
She can combine the strategies (I) and (II). We will analyze Eve's three strategies respectively. 

(I) Since the challenge Bob sends to Alice is not entangled with the key particles, Eve can not share key material 
with Bob or Alice. If she changes the state of the challenge, she will be detected with probability 1 — F, and the form 
of F is the same as Eq. (6). 

(II) In this case, Eve may make his own particles entangle with Alice and Bob's key pairs. However, the challenge 
state is selected randomly, Eve can not make her own particle be maximally entangled with Bob and/or Alice's particle 
deterministically, and the probability she will be detected is 1 — F too. 

However, there exist other more powerful strategy. 

(III) Eve intercept the challenge Bob send to Alice, and send her own particle in state |0) or |1) to Alice. After 
Alice's operation, this particle will be entangled with Alice and Bob's key particles in GHZ state, and Eve can use 
the key to complete authentication with Alice or Bob as efficient as the key shared by Alice and Bob. We can 
defend this attack by an additional step at first. Before Bob sends the challenge to Alice, they do a bilateral rotation 

R(9i) = ( cos ® 1 8 * a n )• The state of the maximally entangled two particles will be unchanged when both Alice 

y " fein t/^ COS yJ % j 

and Bob rotate the ith particle by 0j. However if Eve has entangled her particle with Alice and Bob's particles in 
state |$) ABE — -j= (| 000) + | 111)). In the second authentication process between Alice and Bob, the state will be 
changed to 

m AB E = cos 2 6~ (|000) + |111))+ sin 2 0,-1(1110) + |001)) (8) 

+ sin0iCos0i-^= (jOll) - 1 100)) +sin0j cos 6^ (|101) - |010» 
v 2 V 2 

under the bilateral rotation. When Bob or Alice measures the challenge, the average fidelity will be 1 — ^sin 2 ^, 
and the average probability that they find Eve's attack will be \ sin 2 If 9i is selected randomly and known only 
by Alice and Bob (it can be previously shared and reusable) , the average fidelity of the challenge when Bob test it 
is | and the average probability that Eve will be detected is j. If Eve tries to impersonate Alice or Bob with the 
entangled state \^) ABE , it is easy to verify that the average probability for Eve to succeed is less than 1 — 5 sin 2 0i 
(even Eve knows exactly the value of 0j). 
Now we consider to use a fixed rotation angle for all authentication rounds. 

There exist two special angle, that Eve has two corresponding strategies to impersonate or to obtain the authenti- 
cation key as her particle has been already entangled with Alice and Bob's key particles in GHZ state. When 9 = 
(or ~k ef at), Eve can use her particles impersonate Alice without risk that Bob will detect the impersonation. 
Another special angle is 6 = j (or ^f- et al). In this case, after Alice and Bob rotate their particle by ?, Eve 
can rotate her particle by \ too. Then Eve intercepts the challenge Bob sends to Alice and sends her own particle 
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to Alice, after Alice does a C-NOT operation on Eve's particle, it will be entangled with Bob's particle in EPR state 
and Alice's particle has no quantum correlation with Bob and Eve's particles. The process can be described as 



1 

R 1 

> — 

4 

C'ae 1 

^ 2 



l*W =^[|000) + |111)] ABE (9) 
- |1» (|0) - |1)) (|0) - |1» + (|0) + |1)) (|0) + |1)) (|0) + \1))} ABE 



(|0) + |1)) A ®(|00) + |11)) BB , 



where R = Ra (7r/4) ® R B (7r/4) <g> Re (tt/4) and Cab is a C-NOT operation (A controls E). After Alice sent Eve's 
particle back, Eve uses it to do a C-NOT operation on Bob's challenge, then sends the challenge back to Bob for 
verification. Up to now, Eve has obtained the authentication key without disturbing the authentication process 
between Alice and Bob. 

For an arbitrary 9 (we assume that Eve knows this angle), if Eve tries to impersonate, in the case of sin 2 9 < cos 2 9, 
the optimal strategy for Eve is to do a C-NOT operation on the challenge directly and send back it. The probability 
she will succeed is 1 — 4 sin 2 9. In the case of sin 2 9 > cos 2 9, Eve should do a NOT operation on her particle first, 
then do a C-NOT operation on the challenge before she sends it back. The probability she will succeed is 1 — ^ cos 2 9. 
Sum the two cases, the probability Eve will succeed is 

Pi = max 1 1 - i sin 2 9 , 1 - ~ cos 2 j . (10) 

If Eve tries to get the key, she does a rotation on her particle, then sends her particle to Alice to do a C-NOT 
operation on the particle and Eve can do a another proper rotation on her particle when Alice sends it back 



m.wL = ^ liooo) + |in>W R ^ B KMf.-nw (in 



where Rabe = Ra (9)®Rb (9)® Re (fa) and Re is operation Re (fa)- Then the probability P^ that Eve will succeed 
to obtain the key is 

P 2 = max {F (|$+) ($+| , tr A (|* (9, fa, fa)) ABE ($ (9, fa,fa)\ ABE )) } (12) 

01, 02 

= i(|cos0| + |sin0|) 2 . 

Now we consider the optimal angle Alice and Bob should select if they use a fixed angle 9 for all EPR pairs. Using 
the principle Pi = P2, we can get 

|cos ^7T7I ;Pl = P2 = ^ (13) 

From above we can know, if the authentication process use a fixed rotation angle 9, the successful probability of Eve's 
eavesdropping will be increased. 



IV. ROBUSTNESS OF THE PROTOCOL 



Up to this point, our discussion has assumed that the initial state is ideal maximal entangled state |3> + ). Suppose, 
however, that this state is corrupted a little after reused for many times, Alice and Bob have a state described by 
density matrix 

p=(l-e)|$+)($ + |+e Pl , (14) 

where e is a parameter of the deviation of p from |$ + ) ( < I )+ | and pi is an arbitrary state. Our results are most easily 
presented using the trace distance, a metric on Hermitian operators defined by T (A, B) = Tr (\A — B\) pa], where \X\ 
denotes the positive square root of the Hermitian matrix X 2 . From above, we can get that T(\<S>+) (<f>+\,p) < 2y/l. 
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Ruskai |12] has shown that the trace distance contracts under physical processes. If all operations are exact in 
the next authentication process, since the state \$> + ) will be unchanged in the process, the density matrix p will be 
transformed to 

p' = (l-e) | $+)($+ 1 +ep[, (15) 

and T(|$+> ($+| ,p') < 1^1. 

The fidelities F (|$ + ) ($ + | , p) and F (|$ + ) ($ + | , p') are both no less than 1 — e, so the probability that the authen- 
tication fails is no more than e. In conclusion, we can say that this protocol is robust. 



V. CONCLUSION 



A scheme of quantum authentication using entangled state is presented. Two parties share EPR pairs previously as 
the authentication key which servers as encoder and decoder. The authentication is accomplished with local controlled- 
NOT operations and unitary rotations. This protocol appears to be secure even in the presence of an eavesdropper 
who has complete control over both classical and quantum communication at all times. Our protocol is not rely on 
classical cryptography, and needs not communication of classical information of measurement results or details of 
operation method except the indices of the particle Bob sends to Alice. Compared to the scheme using catalysis, this 
protocol uses state only two dimensions, instead of five dimensions. And compare to other authentication schemes, 
this protocol has the same advantage that the keys are reusable as scheme using catalysis. At the end, we expect that 
this method can be applied in quantum key distribution (QKD) 111 ]. 
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